userCertificate
by Leonardo
Would i like to know if it is possible to read a certificate field directly
from openldap?
This certificate is stored on openldap. It attribute on OpenLDAP is
userCertificate.
12 years, 1 month
difficulties to stop slapd
by LALOT Dominique
Hello,
Our openldap is sometimes long to stop and init scripts failed to stop.
Apr 20 09:10:47 ldap1 slapd[15105]: daemon: shutdown requested and
initiated.
Apr 20 09:10:47 ldap1 slapd[15105]: slapd shutdown: *waiting for 0
operations/tasks to finish*
Apr 20 09:*12:46 *ldap1 slapd[15105]: slapd stopped.
It tooks 2 minutes to stop. So the init scrit failed and restart is not
safe. An auto update on ubuntu leaves slapd in a strange state once and the
cause was that long wait for 0 task to finish. Normaly, zero means
immediate. Here two minutes!
We have 5 glued bdb databases. Is it due to the bdb close for these
databases? Is there a way to get things more reliable
OpenLDAP: slapd 2.4.23 (Mar 30 2011 16:20:41) $ ^Ibuildd@crested
:/build/buildd/openldap-2.4.23/debian/build/servers/slapd
Description: Ubuntu 10.10
2.6.35-27-server #48-Ubuntu SMP Tue Feb 22 21:53:16 UTC 2011 x86_64
GNU/Linux
libdb-4.8.so
Thanks
Dom
--
Dominique LALOT
Ingénieur Systèmes et Réseaux
http://annuaire.univmed.fr/showuser.php?uid=lalot
12 years, 1 month
cn=config replication to consumer / slave servers
by Christopher Strider Cook
I have a pair of mirror mode master servers that I would like to be able
to provide cn=config replication to a series of slave servers,
primarily, to keep ACLs in sync across servers.
I've tried syncrepl to the cn=config of the primary servers trying to
exclude certain objects and attributes to prevent the slave from also
taking the syncprov role. This did not seem to work well enough as I was
unable to prevent some unwanted entry or another from making it's way
through and overwriting the syncrepl line itself.
Alternately, I tried to setup a separate database cn=config_slave and
have that snycrepl to the slave into cn=config... but that creates a
naming missmatch.
Is there an approved practice to achieve this, or some other pointers on
avenues to explore?
Thanks,
Chris
12 years, 1 month
memberof/accesslog overlays together
by Michael Ströder
HI!
Unfortunately for privacy reasons I can't provide example data.
I'm using slapo-memberof, slapo-refint and slapo-access in exactly this order.
Now I'm analysing some strange things where modifications to group entries and
the subsequent modifications by slapo-memberof are not correctly written to
the accesslog DB.
Questions:
1. Is this overlay order a correct setup? Should this work? Or should
slapo-memberof be invoked after slapo-access?
2. CHANGES of release 2.4.24 lists a bunch of fixes to slapo-memberof. Any
changes which possibly affect writing to accesslog DB? (I'm not sure whether
we had problems like this with 2.4.23 or not though.)
Ciao, Michael.
12 years, 1 month
delta-syncrepl and N-Way Multi-Master
by Al
Hi All,
I am researching implementation options, and am not 100% clear on
whether delta-syncrepl and N-Way Multi-Master are compatible. Can you
confirm or deny?
If so, have people found success using this?
Thanks in advance,
Al
12 years, 1 month
newbie slapd.conf VS slapd.d management ?
by Olivier
Hi everyone,
SUMMARY :
IN A DAY TO DAY ADMINISTRATION, SHOULD I EDIT SLAPD.CONF
AND USE SLAPTEST TO TRANSLATE INTO SLAPD.D STYLE OR
SHOULD I EDIT DIRECTLY FILES IN SLAPD.D AND DEFINITIVELY
REMOVE THE SLAPD.CONF FILE ?
IN THE FORMER CASE, IS THERE A DOCUMENTATION THAT DOESN'T
MIX SLAPD.CONF WITH SLAPD.D STYLE (I'm a bit confused with examples
I find to be honnest).
Additional info about my question :
I just start with ldap and I want to deploy an internal ldap directory
that will be used for various application (authentication, information
about staff in the company, etc). We are fresh, therefore we start
"from scratch".
I'm playing with tan openldap server 2.4 installed on a fedora.
The documentation about the slapd configuration file(s) is not quite
clear to me : I find information about how to configure the server by
editing "slapd.conf", and at the same time this documentation says
that this file is obsolete and configuration files should now now be
stored in "slapd.d" directory.
I have managed to edit a correct slapd.conf file and I translated it
to a slapd.d style using slaptest utility : slapd is runing and I can
query my directory... ok !
But could some tell me what is the PROPER way to now maintain
and admininistrate an operational openldap directory : slapd.conf
or slapd.d style ?
THANKS FOR YOUR HELP !
---
Olivier
12 years, 1 month
AD sporadically gives LDAP_SERVER_DOWN after the first request
by Markus Sander
My employer ships software for Linux and other Unix-like OSes that binds
to Active Directory in order to, basically, integrate it to AD.
Functionally, it is not too dissimilar to pam_krb5 and nss_ldap.
OpenLDAP 2.4.18 is used to bind to Active Directory LDAP servers.
Authentication (to a machine trust account) is done using a Kerberos
keytab. MIT Kerberos is used.
Group membership data are stored in LDAP objects of class Group which
have the `member' attribute (multiply) filled with the DN of all
members. Those DNs are of type Group or of type User (I'm just chasing
users for now), and their `sAMAccountName' value is what I need to give
to NSS as the group member's name.
My procedure is as follows: First, I bind to one of several configured
LDAP servers using SASL2/GSSAPI, i.e. Kerberos 5. Then I inquire all of
the result set's `member' attributes and resolve the resulting DNs one
by one to build a DN => sAMAccountName map in memory (that's about 10k
entries, so, not a problem here). Then, I request the actual group
entries and look up the DNs in the `member' attribute in the map. Last,
the connection is terminated.
The group members' `sAMAccountName' is inquired one by one with the base
set to the DN (which I already know), the scope set to flat, and the
filter set to (objectClass=*). So that's about 10k single queries in
quick succession. The whole group query typically takes about 6 seconds.
The problem is: OpenLDAP sometimes gives me LDAP_SERVER_DOWN during the
`sAMAccountName' queries. This occurs sporadically but then typically
for the rest of the `sAMAccountName' queries. The group entry query that
follows does succeed. Most of the time the first of those errors
immediately follows a GSSAPI error, nameley, DES key is a weak key,
which may be true but appears unrelated, since only AES512, AES256 and
HMAC are used in the keytab.
The customer's DC admins say that the DCs are not at fault. We asked
them to try to increase the server limits (such as max number of active
queries per worker thread, which defaults to 4 or something), since
about 2k client workstations molest 4 DCs every 30 minutes with the
mentioned query (and others). They are very reluctant to do that and we
have trouble replicating the problem in-house anyway, so overload need
not be the root cause. The DC logs reportedly show nothing unusual.
My software has been in use for about three months now, but the rollout
was still on-going until lately. Customer acceptance tests did not
report the problem. The first incident has been reported about two weeks
ago. They set up monitoring and the bell now rings every couple of
minutes somewhere. Most queries still get through without problem,
though. Other queries, such as those for Netgroups, do not seem to have
any problem. They also doubled the number of DCs (to four) four weeks
ago, since the two they had were quite busy. The new DCs are similar in
hardware but are significantly less under load, which seems odd since
all four of those DCs exist just to serve our software and our software
can be shown to distribute the queries fairly. Restricting our software
to only the old or only the new DCs does not have any effect on the
failure rate.
I increased the OpenLDAP log level, but nothing enlightening turned up.
What could be the cause of the failures during the group member resolution?
12 years, 1 month
Configuration on Windows xp of OpenLDAP
by Mahesh Birajdar
Hi all,
I am new to the OpenLDAp stuff. I want to configure OpenLDAP On windows platform and create users and administer them.
Please anyone can help me..
Any Document stating how to configure and create users n administer them would be very much helpful...
Thanks and Regards,
MAHESH BIRAJDAR
DISCLAIMER
==========
This e-mail may contain privileged and confidential information which is the property of Persistent Systems Ltd. It is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, you are not authorized to read, retain, copy, print, distribute or use this message. If you have received this communication in error, please notify the sender and delete all copies of this message. Persistent Systems Ltd. does not accept any liability for virus infected mails.
12 years, 1 month
return an attribute of all users belonging to a group
by George Mamalakis
Dear all,
I have a question regarding my openldap DIT design. My design so far is
based on the model: ou=people,dc=example,dc=com. It is very possible
that I'll have to be able to find attributes of people belonging to some
specific group (eg, student, postgrad, etc). The easiest way to address
this issue for me would be to branch my DIT like this:
ou=undergrads,ou=people,dc=example,dc=com and
ou=postgrads,ou=people,dc=example,dc=com. On the other hand, I have
several classes that I would like to distinguish my users to apart from
this (like stuff, student, professors, etc.) but further sub-brunching
shows to me that there's something wrong with my design (since those
classes may dynamically change in the future).
As a second solution I thought that it would be very easy to make my
users in ou=people,dc=example,dc=com belong to some group located in
ou=groups,dc=example,dc=com. This way I feel much more flexible in
making such classifications, but my problem is how to formulate
ldapsearch filters so as to return an attribute of some user only if the
specific user belongs to one or more of my groups (for example to find
all email accounts from my people that belong to the undergrads group).
Thank you all for your time in advance,
kind regards,
George Mamalakis.
PS. In the case that this is not the right place to ask questions
regarding ldap programming, please address me to some related resource.
The truth is that I haven't found such a place by googling, meaning that
the places I've found did not seem to be maintained well.
--
George Mamalakis
IT Officer
Electrical and Computer Engineer (Aristotle Un. of Thessaloniki),
MSc (Imperial College of London)
Department of Electrical and Computer Engineering
Faculty of Engineering
Aristotle University of Thessaloniki
phone number : +30 (2310) 994379
12 years, 1 month
Re: return an attribute of all users belonging to a group
by George Mamalakis
On 17/04/2011 14:03, Stefan Seelmann wrote:
> Hi George,
>
> On Sun, Apr 17, 2011 at 12:07 PM, George Mamalakis<mamalos(a)eng.auth.gr> wrote:
>> Dear all,
>>
>> I have a question regarding my openldap DIT design. My design so far is
>> based on the model: ou=people,dc=example,dc=com. It is very possible that
>> I'll have to be able to find attributes of people belonging to some specific
>> group (eg, student, postgrad, etc). The easiest way to address this issue
>> for me would be to branch my DIT like this:
>>
>> ou=undergrads,ou=people,dc=example,dc=com and
>> ou=postgrads,ou=people,dc=example,dc=com. On the other hand, I have several
>> classes that I would like to distinguish my users to apart from this (like
>> stuff, student, professors, etc.) but further sub-brunching shows to me that
>> there's something wrong with my design (since those classes may dynamically
>> change in the future).
>>
>> As a second solution I thought that it would be very easy to make my users
>> in ou=people,dc=example,dc=com belong to some group located in
>> ou=groups,dc=example,dc=com. This way I feel much more flexible in making
>> such classifications, but my problem is how to formulate ldapsearch filters
>> so as to return an attribute of some user only if the specific user belongs
>> to one or more of my groups (for example to find all email accounts from my
>> people that belong to the undergrads group).
> A third approach is to to store the group as attribute in the user
> entries. The eduPerson schema [1] should fit your needs. Add the
> eduPerson object class to your user entries and use the
> eduPersonAffiliation multi-valued attribute to add the groups.
>
> Kind Regards,
> Stefan
>
> [1] http://middleware.internet2.edu/eduperson/
>
Stefan,
thank you very much for your advise. I had already included the
eduperson schema in my configuration, but I had never seen this
attribute in use. I will definitely take advantage of it, now that you
told me its use.
Thanks again for your help,
regards,
George.
--
George Mamalakis
IT Officer
Electrical and Computer Engineer (Aristotle Un. of Thessaloniki),
MSc (Imperial College of London)
Department of Electrical and Computer Engineering
Faculty of Engineering
Aristotle University of Thessaloniki
phone number : +30 (2310) 994379
12 years, 1 month